exaai-agent 2.0.9__py3-none-any.whl → 2.2.0__py3-none-any.whl

exaaiagnt/interface/cli.py

@@ -30,39 +30,66 @@ BANNER = r"""
 """
 
 
+from exaaiagnt.dashboard.server import start_dashboard
+
 async def run_cli(args: Any) -> None:  # noqa: PLR0915
-    console = Console()
-    
-    # Clear screen and show banner
-    console.clear()
-    console.print()
-    console.print(BANNER, style="bold cyan", justify="center")
-    console.print("[bold purple]Advanced AI-Powered Cybersecurity Agent[/]", justify="center")
-    console.print("[dim]v2.0.0[/]", justify="center")
-    console.print()
+    # Start the live dashboard
+    try:
+        start_dashboard()
+        console_temp = Console()
+        console_temp.print("[bold green]🚀 Live Dashboard available at: http://localhost:8000[/]")
+    except Exception as e:
+        import logging
+        logging.error(f"Failed to start dashboard: {e}")
 
-    # Target info table
-    target_table = Table(show_header=True, header_style="bold cyan", border_style="cyan")
-    target_table.add_column("Type", style="dim")
-    target_table.add_column("Target", style="white")
-    
-    for target_info in args.targets_info:
-        target_type = target_info.get("type", "URL")
-        target_table.add_row(target_type, target_info["original"])
+    # Detect if running in a real terminal or headless (pipe/background)
+    is_tty = sys.stdout.isatty()
+    console = Console(force_terminal=is_tty, no_color=not is_tty)
     
-    console.print(Panel(target_table, title="[bold cyan]🎯 Targets", border_style="cyan"))
-    console.print()
+    if is_tty:
+        # Clear screen and show banner only in interactive terminal
+        console.clear()
+        console.print()
+        console.print(BANNER, style="bold cyan", justify="center")
+        console.print("[bold purple]Advanced AI-Powered Cybersecurity Agent[/]", justify="center")
+        console.print("[dim]v2.1.2[/]", justify="center")
+        console.print()
+    else:
+        # Simple text output for headless/pipe mode
+        print("=" * 50)
+        print("ExaAiAgent - AI-Powered Security Scanner")
+        print("=" * 50)
+
+    if is_tty:
+        # Target info table (rich formatting)
+        target_table = Table(show_header=True, header_style="bold cyan", border_style="cyan")
+        target_table.add_column("Type", style="dim")
+        target_table.add_column("Target", style="white")
+        
+        for target_info in args.targets_info:
+            target_type = target_info.get("type", "URL")
+            target_table.add_row(target_type, target_info["original"])
+        
+        console.print(Panel(target_table, title="[bold cyan]🎯 Targets", border_style="cyan"))
+        console.print()
 
-    # Config info
-    config_text = Text()
-    config_text.append("📁 Results: ", style="dim")
-    config_text.append(f"exaai_runs/{args.run_name}\n", style="white")
-    if args.instruction:
-        config_text.append("📝 Instruction: ", style="dim")
-        config_text.append(f"{args.instruction[:100]}{'...' if len(args.instruction) > 100 else ''}", style="white")
-    
-    console.print(Panel(config_text, title="[bold green]⚙️ Configuration", border_style="green"))
-    console.print()
+        # Config info
+        config_text = Text()
+        config_text.append("📁 Results: ", style="dim")
+        config_text.append(f"exaai_runs/{args.run_name}\n", style="white")
+        if args.instruction:
+            config_text.append("📝 Instruction: ", style="dim")
+            config_text.append(f"{args.instruction[:100]}{'...' if len(args.instruction) > 100 else ''}", style="white")
+        
+        console.print(Panel(config_text, title="[bold green]⚙️ Configuration", border_style="green"))
+        console.print()
+    else:
+        # Simple text output for headless mode
+        print(f"Targets: {[t['original'] for t in args.targets_info]}")
+        print(f"Results: exaai_runs/{args.run_name}")
+        if args.instruction:
+            print(f"Instruction: {args.instruction[:100]}")
+        print("-" * 50)
 
     scan_config = {
         "scan_id": args.run_name,
@@ -71,7 +98,12 @@ async def run_cli(args: Any) -> None:  # noqa: PLR0915
         "run_name": args.run_name,
     }
 
-    llm_config = LLMConfig()
+    # Handle prompt modules
+    prompt_modules = None
+    if getattr(args, "prompt_modules", None):
+        prompt_modules = [m.strip() for m in args.prompt_modules.split(",")]
+
+    llm_config = LLMConfig(prompt_modules=prompt_modules)
     agent_config = {
         "llm_config": llm_config,
         "max_iterations": 300,

exaaiagnt/interface/main.py

@@ -242,7 +242,7 @@ async def warm_up_llm() -> None:
 
 def get_version() -> str:
     """Get the current ExaAi version."""
-    return "2.1.0"
+    return "2.1.2"
 
 
 def parse_arguments() -> argparse.Namespace:
@@ -276,6 +276,10 @@ Examples:
   # Custom instructions
   exaai -t example.com -i "Focus on authentication vulnerabilities"
   exaai -t example.com --instruction ./instructions.txt
+
+  # Specific security modules
+  exaai -t example.com --prompt-modules kubernetes_security,cloud_security
+  exaai -t example.com --prompt-modules prompt_injection
         """,
     )
 
@@ -306,6 +310,12 @@ Examples:
         "or test credentials (e.g., 'Use the following credentials: admin:password123'). "
         "You can also provide a path to a file containing detailed instructions.",
     )
+    parser.add_argument(
+        "--prompt-modules",
+        type=str,
+        help="Comma-separated list of prompt modules to load (e.g., 'kubernetes_security,prompt_injection'). "
+        "Overrides auto-detection.",
+    )
     parser.add_argument(
         "--run-name",
         type=str,

exaaiagnt/interface/tui.py

@@ -45,7 +45,7 @@ def get_package_version() -> str:
         return pkg_version("exaai-agent")
     except PackageNotFoundError:
         # Fallback version if package not installed
-        return "2.0.4"
+        return "2.1.2"
 
 
 class ChatTextArea(TextArea):  # type: ignore[misc]
@@ -80,7 +80,7 @@ class SplashScreen(Static):  # type: ignore[misc]
     NEON_ORANGE = "#ff8800"
     SOFT_WHITE = "#e0e0e0"
     
-    # Enhanced ASCII Logo - ExaAi v2.0.4
+    # Enhanced ASCII Logo - ExaAi v2.1.2
     BANNER = r"""
     ███████╗██╗  ██╗ █████╗      █████╗ ██╗
     ██╔════╝╚██╗██╔╝██╔══██╗    ██╔══██╗██║
@@ -104,7 +104,7 @@ class SplashScreen(Static):  # type: ignore[misc]
         self._animation_step = 0
         self._animation_timer: Timer | None = None
         self._panel_static: Static | None = None
-        self._version = "2.1.0"
+        self._version = "2.1.2"
 
     def compose(self) -> ComposeResult:
         self._version = get_package_version()
@@ -181,14 +181,14 @@ class SplashScreen(Static):  # type: ignore[misc]
         return text
 
     def _build_new_features_text(self) -> Text:
-        """Build new features highlight for v2.0.4."""
+        """Build new features highlight for v2.1.0."""
         text = Text("🔥 ", style=Style(color=self.NEON_ORANGE))
         text.append("NEW: ", style=Style(color=self.NEON_ORANGE, bold=True))
-        text.append("React2Shell", style=Style(color=self.NEON_PINK))
+        text.append("K8s Security", style=Style(color=self.NEON_PINK))
         text.append(" • ", style=Style(color=self.SOFT_WHITE, dim=True))
-        text.append("Cloud Security", style=Style(color=self.NEON_CYAN))
+        text.append("Prompt Injection", style=Style(color=self.NEON_CYAN))
         text.append(" • ", style=Style(color=self.SOFT_WHITE, dim=True))
-        text.append("Auto-Discovery", style=Style(color=self.NEON_GREEN))
+        text.append("Azure/GCP", style=Style(color=self.NEON_GREEN))
         return text
 
 
@@ -391,7 +391,11 @@ class ExaaiTUIApp(App):  # type: ignore[misc]
         }
 
     def _build_agent_config(self, args: argparse.Namespace) -> dict[str, Any]:
-        llm_config = LLMConfig()
+        prompt_modules = None
+        if getattr(args, "prompt_modules", None):
+            prompt_modules = [m.strip() for m in args.prompt_modules.split(",")]
+
+        llm_config = LLMConfig(prompt_modules=prompt_modules)
 
         config = {
             "llm_config": llm_config,

exaaiagnt/llm/llm.py

@@ -424,19 +424,54 @@ class LLM:
             else:
                 completion_args["reasoning_effort"] = "high"
 
-        # Use Adaptive Traffic Controller for intelligent rate limiting
+        # Use Adaptive Traffic Controller for intelligent rate limiting with retries
         controller = get_traffic_controller()
         agent_id = self.agent_id or "unknown_agent"
         
         async def do_request():
-            from litellm import completion
-            return completion(**completion_args, stream=False)
-        
-        response = await controller.queue_request(
-            do_request,
-            agent_id=agent_id,
-            priority=RequestPriority.NORMAL
+            try:
+                from litellm import completion
+                return await completion(**completion_args, stream=False)
+            except litellm.RateLimitError:
+                # Let tenacity (in controller) handle retry
+                raise 
+            except Exception as e:
+                # Log other transient errors for potential retry
+                logger.warning(f"Transient LLM error: {e}")
+                raise
+
+        # Wrap in retry logic
+        from tenacity import (
+            retry,
+            stop_after_attempt,
+            wait_exponential,
+            retry_if_exception_type,
+        )
+        import litellm
+
+        @retry(
+            retry=retry_if_exception_type((
+                litellm.RateLimitError, 
+                litellm.ServiceUnavailableError, 
+                litellm.APIConnectionError, 
+                litellm.Timeout
+            )),
+            wait=wait_exponential(multiplier=1, min=4, max=60),
+            stop=stop_after_attempt(5),
+            reraise=True
         )
+        async def execute_with_retries():
+            return await controller.queue_request(
+                do_request,
+                agent_id=agent_id,
+                priority=RequestPriority.NORMAL
+            )
+
+        try:
+            response = await execute_with_retries()
+        except Exception:
+            self._total_stats.failed_requests += 1
+            raise
 
         self._total_stats.requests += 1
         self._last_request_stats = RequestStats(requests=1)

exaaiagnt/llm/llm_traffic_controller.py

@@ -54,11 +54,13 @@ class AdaptiveLLMController:
     """
     
     _instance: Optional["AdaptiveLLMController"] = None
+    _lock_cls = __import__("threading").Lock()
     
     def __new__(cls) -> "AdaptiveLLMController":
-        if cls._instance is None:
-            cls._instance = super().__new__(cls)
-            cls._instance._initialized = False
+        with cls._lock_cls:
+            if cls._instance is None:
+                cls._instance = super().__new__(cls)
+                cls._instance._initialized = False
         return cls._instance
     
     def __init__(self):

exaaiagnt/prompts/README.md

@@ -43,12 +43,14 @@ The modules are dynamically injected into the agent's system prompt, allowing it
 | `race_conditions` | Race condition and TOCTOU exploits |
 | `path_traversal` | Directory traversal attacks |
 
-### NEW: Advanced Modules
+### NEW: Advanced Modules (v2.1)
 
 | Module | Description |
 |--------|-------------|
 | `api_security` | REST, GraphQL, gRPC API security testing |
 | `cloud_security` | AWS, Azure, GCP security assessment |
+| `kubernetes_security` | **NEW!** K8s RBAC, Pod Security, Network Policy audit |
+| `prompt_injection` | **NEW!** AI/LLM prompt injection & jailbreaking |
 | `reconnaissance_osint` | Reconnaissance and OSINT techniques |
 | `privilege_escalation` | Linux/Windows privilege escalation |
 | `high_impact_bugs` | Bug bounty hunting for critical vulns |

exaaiagnt/prompts/auto_loader.py

@@ -210,6 +210,37 @@ MODULE_PATTERNS = {
         ],
         "keywords": ["aws", "s3", "ec2", "lambda", "azure", "gcp", "cloud", "bucket", "metadata"],
     },
+    
+    # Kubernetes Security (NEW v2.1)
+    "kubernetes_security": {
+        "url_patterns": [
+            r"/api/v1/",
+            r"/apis/",
+            r":6443",
+            r":10250",
+            r":8443",
+        ],
+        "keywords": ["kubernetes", "k8s", "kubectl", "pod", "deployment", "service", 
+                    "ingress", "helm", "kubelet", "etcd", "rbac", "namespace"],
+    },
+    
+    # AI/LLM Prompt Injection (NEW v2.1)
+    "prompt_injection": {
+        "url_patterns": [
+            r"/chat",
+            r"/completions",
+            r"/generate",
+            r"/ask",
+            r"/ai",
+            r"/llm",
+            r"/v1/chat",
+            r"/v1/completions",
+            r"/assistant",
+        ],
+        "keywords": ["openai", "anthropic", "llm", "gpt", "claude", "chatbot", 
+                    "ai assistant", "langchain", "llama", "gemini", "copilot",
+                    "rag", "embedding", "vector", "prompt"],
+    },
 }
 
 

exaaiagnt/prompts/cloud/azure_cloud_security.jinja

@@ -0,0 +1,126 @@
+<azure_security_guide>
+<title>AZURE CLOUD SECURITY AUDIT</title>
+
+<critical>Azure is the enterprise cloud. Misconfigurations in Azure AD, Blob Storage, and Managed Identities are primary attack vectors. Default settings often expose resources publicly. Entra ID (formerly Azure AD) is the crown jewel - compromise it, own everything.</critical>
+
+<scope>
+- Identity: Azure AD (Entra ID), Service Principals, Managed Identities
+- Storage: Blob Storage, Azure Files, Data Lake
+- Compute: VMs, App Service, Functions, AKS
+- Network: NSGs, Azure Firewall, Private Link, VNet
+- Secrets: Key Vault, App Configuration
+</scope>
+
+<methodology>
+1. **Reconnaissance**: Enumerate subscriptions, resource groups, and public assets.
+2. **Identity Audit**: Check Azure AD roles, conditional access policies, MFA enforcement.
+3. **Storage Audit**: Scan for public blobs, SAS token misuse, anonymous access.
+4. **Compute Audit**: Check VM extensions, managed identity permissions, IMDS exposure.
+5. **Network Audit**: Verify NSG rules, private endpoints, exposed services.
+6. **Secrets Audit**: Key Vault access policies, secret rotation, RBAC vs Access Policies.
+</methodology>
+
+<attack_vectors>
+- **Public Blob Storage**: Anonymous read access to containers.
+- **SAS Token Abuse**: Overly permissive or leaked SAS tokens.
+- **IMDS v1**: Instance metadata service for credential theft (169.254.169.254).
+- **Service Principal Secrets**: Exposed or non-rotating SP credentials.
+- **Managed Identity Abuse**: Over-privileged managed identities on VMs/Functions.
+- **Azure AD Misconfig**: Guest users with elevated roles, no conditional access.
+- **Key Vault RBAC**: Users with Key Vault Contributor can read secrets.
+- **ARM Template Secrets**: Secrets hardcoded in deployments.
+</attack_vectors>
+
+<critical_checks>
+<storage>
+# Check for public blob containers
+az storage container list --account-name <storage> --query "[?properties.publicAccess!=null]"
+
+# Check for anonymous access
+az storage blob list --container-name <container> --account-name <storage> --auth-mode key
+</storage>
+
+<identity>
+# List Service Principals with secrets
+az ad sp list --all --query "[?passwordCredentials]"
+
+# Check for high-privilege role assignments
+az role assignment list --all --query "[?roleDefinitionName=='Owner' || roleDefinitionName=='Contributor']"
+
+# Managed Identity check
+az vm identity show --name <vm> --resource-group <rg>
+</identity>
+
+<network>
+# Check for open NSG rules (any source)
+az network nsg rule list --nsg-name <nsg> --resource-group <rg> --query "[?sourceAddressPrefix=='*' && access=='Allow']"
+
+# Find public IPs
+az network public-ip list --query "[?ipAddress!=null]"
+</network>
+
+<keyvault>
+# Check Key Vault access policies
+az keyvault show --name <vault> --query "properties.accessPolicies"
+
+# Check for RBAC mode (preferred)
+az keyvault show --name <vault> --query "properties.enableRbacAuthorization"
+</keyvault>
+</critical_checks>
+
+<automation_script>
+```python
+import subprocess
+import json
+
+def run_az(cmd: list) -> dict:
+    """Run Azure CLI command and return JSON."""
+    result = subprocess.run(["az"] + cmd + ["-o", "json"], capture_output=True, text=True)
+    return json.loads(result.stdout) if result.returncode == 0 else {}
+
+def audit_azure():
+    findings = []
+    
+    # Check public storage containers
+    accounts = run_az(["storage", "account", "list"])
+    for acc in accounts:
+        containers = run_az(["storage", "container", "list", "--account-name", acc["name"], "--auth-mode", "login"])
+        for container in containers:
+            if container.get("properties", {}).get("publicAccess"):
+                findings.append({
+                    "severity": "CRITICAL",
+                    "title": "Public Blob Container",
+                    "resource": f"{acc['name']}/{container['name']}",
+                    "remediation": "Set publicAccess to None"
+                })
+    
+    # Check privileged role assignments
+    assignments = run_az(["role", "assignment", "list", "--all"])
+    for assignment in assignments:
+        if assignment.get("roleDefinitionName") in ["Owner", "User Access Administrator"]:
+            findings.append({
+                "severity": "HIGH",
+                "title": f"Privileged Role: {assignment['roleDefinitionName']}",
+                "resource": assignment.get("principalName"),
+                "remediation": "Review and apply least privilege"
+            })
+    
+    return findings
+
+if __name__ == "__main__":
+    for f in audit_azure():
+        print(f"[{f['severity']}] {f['title']}: {f['resource']}")
+```
+</automation_script>
+
+<remediation_guide>
+1. **Disable Public Blob Access**: Set `allowBlobPublicAccess: false` at storage account level.
+2. **Use Managed Identities**: Avoid Service Principal secrets where possible.
+3. **Enable MFA**: Enforce MFA for all users via Conditional Access.
+4. **Use RBAC for Key Vault**: Switch from Access Policies to Azure RBAC.
+5. **Private Endpoints**: Use Private Link for storage, databases, and Key Vault.
+6. **Enable Defender for Cloud**: Turn on security recommendations and alerts.
+7. **Rotate Secrets**: Automate rotation for Service Principal secrets and keys.
+</remediation_guide>
+
+</azure_security_guide>

exaaiagnt/prompts/cloud/gcp_cloud_security.jinja

@@ -0,0 +1,158 @@
+<gcp_security_guide>
+<title>GOOGLE CLOUD PLATFORM (GCP) SECURITY AUDIT</title>
+
+<critical>GCP's IAM model is powerful but complex. Over-permissive service accounts, public Cloud Storage buckets, and metadata service abuse are the top attack vectors. Workload Identity Federation and VPC Service Controls are critical but often misconfigured.</critical>
+
+<scope>
+- Identity: IAM policies, Service Accounts, Workload Identity
+- Storage: Cloud Storage (GCS), BigQuery, Firestore
+- Compute: Compute Engine, Cloud Functions, Cloud Run, GKE
+- Network: VPC, Firewall Rules, Private Google Access
+- Secrets: Secret Manager, KMS
+</scope>
+
+<methodology>
+1. **Reconnaissance**: Enumerate projects, service accounts, and public assets.
+2. **IAM Audit**: Check for overly permissive roles (Editor, Owner) on service accounts.
+3. **Storage Audit**: Scan for public buckets, allUsers/allAuthenticatedUsers ACLs.
+4. **Compute Audit**: Check metadata server access, service account scopes, public IPs.
+5. **Network Audit**: Verify firewall rules, VPC Service Controls, Private Google Access.
+6. **Secrets Audit**: Secret Manager access, KMS key permissions.
+</methodology>
+
+<attack_vectors>
+- **Public GCS Buckets**: `allUsers` read access on sensitive buckets.
+- **Metadata Server Abuse**: `http://metadata.google.internal/computeMetadata/v1/` for token theft.
+- **Service Account Key Leakage**: JSON keys committed to repos or logs.
+- **Default Service Account**: Compute Engine default SA with Editor role.
+- **Over-privileged IAM**: Service accounts with `roles/editor` or `roles/owner`.
+- **Workload Identity Misconfiguration**: Allowing external identities to impersonate SAs.
+- **Public Cloud Functions**: Functions with `allUsers` invoker permission.
+- **BigQuery Public Datasets**: Datasets readable by `allAuthenticatedUsers`.
+</attack_vectors>
+
+<critical_checks>
+<storage>
+# Check for public buckets
+gsutil iam get gs://<bucket> | grep -E "allUsers|allAuthenticatedUsers"
+
+# List all buckets
+gsutil ls
+
+# Check bucket ACLs
+gsutil acl get gs://<bucket>
+</storage>
+
+<iam>
+# List all service accounts
+gcloud iam service-accounts list
+
+# Check service account keys (should be minimal)
+gcloud iam service-accounts keys list --iam-account=<sa-email>
+
+# Find over-privileged bindings
+gcloud projects get-iam-policy <project> --format=json | jq '.bindings[] | select(.role | contains("owner") or contains("editor"))'
+
+# Check for external members
+gcloud projects get-iam-policy <project> --format=json | jq '.bindings[].members[] | select(contains("user:") | not)'
+</iam>
+
+<compute>
+# Check default service account usage
+gcloud compute instances list --format="table(name,serviceAccounts.email)"
+
+# Metadata server access test (from compromised instance)
+curl -H "Metadata-Flavor: Google" http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token
+
+# Check for public IPs
+gcloud compute instances list --format="table(name,networkInterfaces[].accessConfigs[].natIP)"
+</compute>
+
+<functions>
+# Check for public invocation
+gcloud functions describe <function> --format="value(invokerMembers)"
+# If contains "allUsers" = PUBLIC
+</functions>
+
+<firewall>
+# List all firewall rules allowing 0.0.0.0/0
+gcloud compute firewall-rules list --filter="sourceRanges=0.0.0.0/0" --format="table(name,allowed,direction)"
+</firewall>
+</critical_checks>
+
+<automation_script>
+```python
+import subprocess
+import json
+
+def run_gcloud(cmd: list) -> dict:
+    """Run gcloud command and return JSON."""
+    result = subprocess.run(["gcloud"] + cmd + ["--format=json"], capture_output=True, text=True)
+    return json.loads(result.stdout) if result.returncode == 0 else []
+
+def audit_gcp(project: str):
+    findings = []
+    
+    # Check for service account keys (should be 0 or 1)
+    sas = run_gcloud(["iam", "service-accounts", "list", f"--project={project}"])
+    for sa in sas:
+        keys = run_gcloud(["iam", "service-accounts", "keys", "list", 
+                          f"--iam-account={sa['email']}", f"--project={project}"])
+        user_keys = [k for k in keys if k.get("keyType") == "USER_MANAGED"]
+        if len(user_keys) > 0:
+            findings.append({
+                "severity": "HIGH",
+                "title": "User-Managed SA Keys Exist",
+                "resource": sa["email"],
+                "details": f"{len(user_keys)} user-managed keys found",
+                "remediation": "Use Workload Identity or VM Service Accounts instead of keys"
+            })
+    
+    # Check IAM for overly permissive roles
+    policy = run_gcloud(["projects", "get-iam-policy", project])
+    for binding in policy.get("bindings", []):
+        if any(role in binding.get("role", "") for role in ["owner", "editor"]):
+            for member in binding.get("members", []):
+                if member.startswith("serviceAccount:"):
+                    findings.append({
+                        "severity": "CRITICAL",
+                        "title": f"Service Account with {binding['role']}",
+                        "resource": member,
+                        "remediation": "Replace with fine-grained roles"
+                    })
+    
+    # Check for public firewall rules
+    rules = run_gcloud(["compute", "firewall-rules", "list", f"--project={project}"])
+    for rule in rules:
+        if "0.0.0.0/0" in rule.get("sourceRanges", []):
+            if rule.get("allowed"):
+                findings.append({
+                    "severity": "MEDIUM",
+                    "title": "Firewall Rule Allows 0.0.0.0/0",
+                    "resource": rule["name"],
+                    "details": f"Allows: {rule['allowed']}",
+                    "remediation": "Restrict source ranges to known IPs"
+                })
+    
+    return findings
+
+if __name__ == "__main__":
+    import sys
+    project = sys.argv[1] if len(sys.argv) > 1 else "your-project"
+    for f in audit_gcp(project):
+        print(f"[{f['severity']}] {f['title']}: {f['resource']}")
+```
+</automation_script>
+
+<remediation_guide>
+1. **Remove SA Keys**: Delete all user-managed service account keys. Use Workload Identity.
+2. **Least Privilege IAM**: Replace Editor/Owner with specific roles.
+3. **Private Buckets**: Remove allUsers/allAuthenticatedUsers from bucket IAM.
+4. **VPC Service Controls**: Enable for sensitive projects.
+5. **OS Login**: Use OS Login instead of SSH keys for VM access.
+6. **Private Google Access**: Enable for subnets to access Google APIs privately.
+7. **Security Command Center**: Enable for vulnerability and threat detection.
+8. **Organization Policies**: Enforce constraints (no public IPs, no external sharing).
+</remediation_guide>
+
+</gcp_security_guide>